我应该如何在我的REST API处理验证？ [英] How should I handle authentication in my REST API?

问题描述

我是新来这一点，但我会尽我所能解释什么，我试图做的。

I am new to this but I will try my best to explain what I am trying to do.

我有一个目录，我的用户希望能够通过自己的网站访问产品及各种私人信息。

I have a catalog of products and various private information that my users want to be able to access via their website.

例如：

的用户一个有一个电子商务网站，他们想卖我的商品。他们将能够通过Web服务来访问某些产品的详细信息。他们也将能够看到，我已经给了他们与其他一些私人细节一起协商的速率。的

应如何处理API认证来自用户一个网站上的要求？

How should the API handle authenticating the request that comes from User-a's website?

我一直在阅读所有的大约每天不同的身份验证方法，但他们似乎都围绕着第三方访问特定用户信息的想法。一个例子是，如果你让 http://randomtwitterapp.com 访问你的Twitter个人资料。在这种情况下，第三方网站必须管理多个不同的用户和身份验证令牌。在我们的例子，我的用户网站代表用户的交互。我希望这是有道理的。

I've been reading all day about different authentication methods but they all seem to revolve around the idea of a third party accessing specific user information. An example is if you let http://randomtwitterapp.com access your twitter profile. In that case, the third party site must manage multiple different users and auth tokens. In our case, my users website is interacting on behalf of the user. I hope this makes sense.

推荐答案

我们叫用户A爱丽丝，因为给她打电话的用户A是麻烦的。

Let's call user A "Alice" because calling her User-A is cumbersome.

治疗爱丽丝的网站，犹如爱丽丝自己。特殊的定价和这种是针对有问题的网站，因此具有的它的登录到您的网站。发行凭证开发网​​站的人将使用通过身份验证，然后使用这些凭据，以确定您展示定价和产品。

Treat Alice's web site as if it were Alice herself. The special pricing and such IS specific to the web site in question, so have it log into your site. Issue credentials that the person developing that site would use to authenticate with, and then use those credentials to determine the pricing and products you show.

至于实际的认证机制，这真的取决于你的需要。如果你需要做的是不同的数据服务对不​​同的人，你可以做作为查询字符串传递了一个API令牌简单的东西： http://api.example.com/products?key= 9af4d8381781baccb0f915e554f8798d

As for actual authentication mechanisms, it really depends on your needs. If all you need to do is serve different data to different people, you could do something as simple as an API token passed in the query string: http://api.example.com/products?key=9af4d8381781baccb0f915e554f8798d

或者，如果爱丽丝已经为您的网站用户名和密码，你可以有她使用那些在她与基本验证API请求。

Or if Alice already has a username and password for your site, you could have her use those in her API requests with Basic Auth.

如果爱丽丝将需要输入上，她无法控制的各种网站她的帐户信息，然后OAuth的是非​​常方便的。有了这一点，你基本上可以给她，她需要从访问您的API的每一个网站的API密钥。而你给他删除这些API密钥和拒绝这些网站访问的能力。

If Alice is going to need to enter her account information on various sites that she doesn't control, then oAuth comes in very handy. With that, you can essentially give her an API key for every site she needs to access your API from. And you give her the ability to delete those API keys and deny those sites access.

这篇关于我应该如何在我的REST API处理验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！